#threatreport #MediumCompleteness Disrupting threats targeting Microsoft Teams | 08-10-2025 Source: microsoft.com/en-us/security… Key details below ↓ 🧑‍💻Actors/Campaigns: Storm_1811 Storm-1674 (🧠motivation: cyber_criminal) Storm-2372 Carbanak (🧠motivation: financially_motivated, cyber_criminal) Sagrid (🧠motivation: financially_motivated) 0ktapus (🧠motivation: financially_motivated) Void_blizzard Apt33 💀Threats: Roadtools_tool, Teamfiltration_tool, Email_bombing_technique, Reedbed, 3am_ransomware, Blacksuit_ransomware, Teamsphisher_tool, Darkgate, Anydesk_tool, Aadinternals_tool, Credential_stealing_technique, Device_code_phishing_technique, Jssloader, Password_spray_technique, Azurehound_tool, Ad_explorer_tool, Veildrive, Brc4_tool, Convoc2, Microsoft_quick_assist_tool, Qshing_technique, Clickfix_technique, Aitm_technique, 🎯Victims: Microsoft teams users, It support and help desk personnel, Administrators, Organizations using microsoft 365 🏭Industry: E-commerce 📚TTPs: ⚔️Tactics: 13 🛠️Technics: 0 🧨IOCs: - File: 2 💽Software: Microsoft Teams, Microsoft Defender, Microsoft Defender for Endpoint, Microsoft Entra, Graph API, Active Directory, Office 365, Jupyter notebooks, Twitter 🔢Algorithms: zip 🔠Functions: Teams, Graph, count 📜Programming Languages: powershell, python 💻Platforms: intel #threatreport: Microsoft Teams is increasingly targeted by cybercriminals and state-sponsored actors due to its extensive collaboration features, which include messaging, calls, video sharing, and cross-tenant capabilities. Threat actors engage in various stages of attack, leveraging Microsoft Entra ID identities to conduct reconnaissance. They can enumerate directory objects and identify how external communications and tenant configurations are managed, ultimately seeking to map user privileges and potential attack paths. In their resource development phase, threat actors have been observed impersonating trusted users or acquiring compromised legitimate tenants. By employing social engineering tactics and using branded domains, they effectively create credible personas to engage victims through Teams. Initial access methods frequently involve tech support scams, where malicious actors deliver remote monitoring and management tools alongside information-stealing malware. These tactics can lead to credential theft and ransomware deployments. Once inside, threat actors use persistent techniques to maintain access, including adding guest users or credentials to Teams accounts. They target both admin privileges and ordinary user accounts to trick individuals into executing malicious links or files. With successfully obtained refresh tokens, attackers can impersonate users and exploit Teams APIs, deploying tools like AADInternals to gather access tokens and explore organizational configurations for vulnerable assets. Attackers might laterally move across compromised networks by leveraging admin access to create trust relationships between organizations. For example, they can use previously compromised accounts to impersonate IT personnel, facilitating unauthorized access. In a specific incident, threat groups managed to solicit remote access from users in other organizations by exploiting Teams communication features. For data collection, threat actors often seek to mine Teams for valuable information that could assist further attacks, such as high-privileged accounts or collaboration channels. They leverage tools to harvest sensitive data from conversations and files within the environment. Exfiltration methods frequently involve directing stolen data to external cloud storage, taking advantage of the Teams messaging system to coordinate these transfers. Command-and-control operations can be executed via Teams chats, using malicious file attachments. For instance, adaptations of existing remote access tools can establish control channels within Teams, allowing for command dispatch through its protocols. Mitigation strategies include implementing strict access controls within Microsoft Entra ID, enforcing multifactor authentication, and utilizing endpoint protection solutions like Microsoft Defender for Endpoint. Organizations are encouraged to regularly assess their Teams configurations, limit external access, and monitor Teams activity to detect potential threats. Adjusting settings to require verification for guest users and app installations can also help reduce attack surfaces. In summary, threat actors exploit various techniques to compromise Microsoft Teams environments, from initial access through social engineering scams to advanced lateral movement and resource exploitation. Continuous monitoring and proactive defense measures are crucial in mitigating these threats.

🔊 ThreatMon's weekly APT Review is ready! 👀 🕵‍FIN7 is a cybercriminal organization that engages in malicious cyber activities and also goes by many different aliases such as CARBON SPIDER, GOLD NIAGARA, Calcium, ATK32, G0046, G0008, Coreid, Carbanak, Anunak, Gold Waterfall, Navigator, ATK 32, APT-C-11, ITG14, TAG-CR1. This group first emerged in 2013 and is based in #Russia. 🔎 FIN7's target countries include Australia, Austria, Brazil, Bulgaria, Canada, China, Czech Republic, France, Germany, Hong Kong, Iceland, India, Luxembourg, Malta, Morocco, Nepal, Norway, Pakistan, Poland, Russia, Spain, Sweden, Switzerland, Taiwan, United Kingdom, United States, Ukraine, Uzbekistan. 🎯 Targeted sectors include casinos, construction, education, energy, finance, food and agriculture, government, healthcare, high-tech, hospitality, retail, technology, telecommunications and transport. 🚨 The motivations of this group include financial crime and financial gain. Malware used by #FIN7 include 7Logger, Antak, Astra, Ave Maria, BABYMETAL, Backdoor Batel, Bateleur, BELLHOP, BIOLOAD, BIRDWATCH, BlackMatter, Boostwrite, Cain & Abel, Carbanak, Cobalt Strike, CROWVIEW, DarkSide, DNSMessenger, DNSRat, DRIFTPIN, FlawedAmmyy, FOXGRABBER, Griffon, HALFBAKED, JS Flash, JSSLoader, KLRD, Lizar, LOADOUT, MBR Eraser, Meterpreter, Mimikatz, Odinaff, POWERPIPE, POWERPLANT, POWERSOURCE, PsExec, RDFSNIFFER, SocksBot, SoftPerfect Network Scanner, SQLRAT, TeamViewer, TinyMet, WARPRISM. 💡 FIN7's TTP (Tactics, Techniques, and Procedures) list includes T1543, T1543.003, T1562, T1562.004, T1036, T1036.004, T1036.005, T1588, T1588.002, T1219, T1218, T1218.011, T1078, T1102, T1102.002. These TTPs represent various attack and infiltration techniques used by the group. 👉 Try ThreatMon's Free Premium Access feature to avoid sophisticated attacks by the FIN7 #APT group and keep your systems #secure ➡ threatmon.io/free-trial/ 👉 Access ThreatMon's free Command and Control service via Github to integrate the Command and Control (C&C) servers used by this APT group into your systems and increase your #security ➡ github.com/ThreatMon/ThreatM… #threatmonsreview #hack #hacker #cybersecurity #cyberattack #threatintelligence #digitalriskprotection #attacksurfacemanagement #threatmon

In July 2023, we documented Storm-0324 using a new method of Teams-based phishing to deliver JSSLoader before handing the reigns to Sangria Tempest. Read about the technical details, as well as how to protect yourself, from @guru_pixel on the blog. bit.ly/3tm4Dfj

🔎 MS Teams phish are currently used by APTs and cybercriminals: - APT29 / Midnight Blizzard 🇷🇺 (microsoft.com/en-us/security…) - DarkGate Loader (leads to BianLian ransomware) (truesec.com/hub/blog/darkgat… |) - JSSLoader by Storm-0324/TA543 (linked to FIN7) (microsoft.com/en-us/security…) 2/3

I don't share that concern in this context. This isn't about exploitation or POCs but rather about JSSLoader, Gootkit, IceID, and Trickbot. In my opinion, there's little risk of someone replicating the code for similar attacks.

#Fin7 updated #JssLoader #Apt C&C: marioterno[.]com threatbook.io/domain/mariote… bamadora[.]com threatbook.io/domain/bamador… #CyberAttack #cyberintelligence #infosec

Love this actor. #TA543 sagrid rolling in with a few changes! #JSSLoader typically. bazaar.abuse.ch/sample/029ba… tria.ge/221128-xcxjxscc81/be…

malwarebytes.com/blog/threat… #Pentesting #jssloader #Cybersecurity #infosec #shellcode Whitepaper here⬇️ m.box.com/shared_item/https%…

JSSLoader: the shellcode edition malwarebytes.com/blog/threat…

8 new OPEN, 14 new PRO (8 6) JSSLoader, Shuckworm, Android Banker and various CoinMiners. Thanks @Malwarebytes @symantec lists.emergingthreats.net/pi…

#FIN7 JSSLoader malwarebytes.app.box.com/s/y…

My new paper for @MBThreatIntel: "#JSSLoader - the #shellcode edition" : malwarebytes.com/blog/threat… // #FIN7

New #JSSLoader campaign today. Starts with an email from @EdibleArrangeSJ with a link that redirects you to ahlimedia-my.sharepoint[.]com & drops an xll that downloads JSSLoader from essentialsmassageanddayspa[.]com. That same domain is C2 to start and switches to bamadora[.]com

Pushed couple of #BIRDWATCH/#CROWVIEW (~#JssLoader) Infrastructure related to @k3dg3's tweet, into ThreatFox. threatfox.abuse.ch/browse/ma… cc @bryceabdo

Good end to the day. #TA543 dropping what looks like #JSSLoader tria.ge/220623-x4wfyahfe6/be… bazaar.abuse.ch/sample/a1502…

JSSLoader is a remote access trojan that uses Microsoft Excel add-in (XLL) files as one of its delivery vectors. Read our new blog post to see how Wazuh can detect XLL dropper files in your network. ow.ly/ufFs50JgXZb #OpenSource #CyberSecurity #Infosec #SIEM #XDR

23 new OPEN, 30 new PRO (23 7). CVE-2022-1162, CVE-2022-26210, CVE-2022-26186, CVE-2022-25075, FIN7 JSSLoader, Others. lists.emergingthreats.net/pi…

#BIRDWATCH, often referred to collectively as #JssLoader, used by #UNC3381 with some overlaps to FIN7. What a fun code family to dive into. A variant named CROWVIEW used by FIN7.

🚨📝 New #FIN7 threat research blog, "Power Hour", published today by @Mandiant. Please enjoy 🌶🌶 mandiant.com/resources/evolu… Blog includes: - FIN7 archaeology & evolution ⛏ - #POWERPLANT deep dive - BIRDWATCH (~#JssLoader) - Supply chain (😱) neat stuff in thread 🧵⤵️

13 new OPEN, 18 new PRO (13 5) Fini7 JSSLoader, Kimsuky, SodaMaster, Keitaro TDS, TrojanDownloader.Agent.GEM. Thanks @morphisec, @s1ckb017, @unmaskparasites lists.emergingthreats.net/pi…